You will note the new title for this episode, Life With GDPR. When Jonathan Armstrong and I began this series in early 2018, we had intended to give listeners a grounding in the new law in the lead up to its go-live date of May 25. However, the response was so overwhelming and Jonathan and I had so much fun putting on the podcasts that we decided to make Countdown to GDPRa permanent part of the Compliance Podcast Network, albeit with a more appropriate name. So welcome to the re-monikered Life With GDPR, which I hope you will enjoy as much as you enjoyed its predecessor. Today Jonathan and I take up the issue of non-monetary penalties.

While most practitioners focused on the heavy fines and penalties available under the General Data Protection Regulation (GDPR) of up to 4% of total global revenues or other very large fines, there are other remedies that each EU and UK data regulator can levy or put into place that may require considerable corporate cost and effort. Moreover, these lessor penalties and sanctions can be the precursor to larger monetary fines and penalties. Armstrong emphasized that each EU country has its own regulator and they will have varying degrees of aggressiveness.

Armstrong pointed to three areas the regulators can order companies to engage in activities. First, it can order a GDPR audit to determine if it has previously assessed its data protection/data privacy issues correctly. Here he pointed to an example of a healthcare organization that was ordered to perform a Data Protection Impact Assessment (DPIA) and report back to the regulators within one month.

Next, Armstrong pointed to the joint areas of date controllers and data processors. Regulators can require a company Data Protection Officer (DPO) to comply with data requests, even Subject Access Requests (SARs). He referenced to a recent example from the UK involving Cambridge Analytica, which was ordered to comply with a US academic’s SAR. Further, a regulator can order a company to bring its data protection program in line with GDPR. Additionally, regulators can maintain investigations in the form of data protection audits and have the right to obtain access to any premises of the controller and the processor, including any data processing equipment by obtaining a warrant. This may prove to be a significant tool in the data protection regulators’ toolkit.

Regulators can also order companies to stop certain activities. Here Armstrong provided the example of a US based company with operations in Europe who is not GDPR compliant around its internal reporting structures. An EU regulator could order the company to suspend its hotline in Europe until there is compliance. Under such a scenario, the US Company would be out of compliance with US securities law and it may be at risk under best practices compliance programs under the Foreign Corrupt Practices Act (FCPA), Anti-Money Laundering (AML) regulations, export control regulations or even US anti-trust law.

Armstrong emphasized that it is not simply the regulators who have powers under GDPR, individuals do as well. SARs of course are well-known but there are other individual rights Armstrong emphasized. If an individual files some type of GDPR complaint with a statutory regulator, who does not take up the complaint within 30, days that individual can appeal against both the regulator to get the complaint moving forward. This means that individuals can file SAR actions against companies that do not respond in a timely manner to SARs. Moreover, such individuals can then band together in a class action lawsuit over such failures. There is also a mechanism for equitable reallocation of damages between parties. If a data processor has to pay damages properly attributable to a data controller, GDPR Article 82 provides a procedure for claiming these damages back. Finally, recall that any person who has suffered “material or non-material damage” due to an infringement of the new rules has a right to compensation from the data controller or processor concerned for the damage suffered and you begin to realize the powers that individuals hold under GDPR.

Interestingly, Armstrong believes that the number of regulatory and individual remedies will mandate that if companies have an incident, they should investigate and remediate quickly. From there, the entity should prepare their investigative results, remedies and internal sanctions they may have put in place on those employees involved. These steps will all go towards mitigating any proposed financial penalty the regulators may be considering. Basically, businesses need to have their ducks in a row, as it can lead to not only reduced costs for corporations, but also could well lead to greater compliance if tied to a root cause analysis.

Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, Matt Kelly and I take a deep dive back into the issue of the ZTE monitorship announced recently as a part of the settlement with the Department of Commerce on the death penalty sanctions levied on the company in April.

That sanction was an export denial which barred American companies from selling components to ZTE and its subsidiary. American companies, such as the San Diego-based chipmaker Qualcomm supplied critical parts for ZTE’s its networking gear and smartphones. This sanction came on the heels of a $891 million fine and penalty the company agreed to in March 2017 for its first round of export control violations. The second sanction was for failing to live up to the terms of the DPA the company agreed to in 2017.

In the 2017, the company agreed to a monitor, who was appointed by the District Court which accepted the company’s guilty plea. Under the May 2018 supplemental sanction, ZTE agreed to pay an additional $1 billion in penalties, put $400 million in escrow, and accept a U.S.-appointed compliance department. According to the Department of Commerce Press Release, the new agreement requires ZTE “to retain a team of special compliance coordinators selected by and answerable to” the Commerce Department for ten years. This new compliance function will essentially serve as the Department of Commerce’s monitor at ZTE as the Press Release noted, “Their function will be to monitor on a real-time basis ZTE’s compliance with U.S. export control laws.”

Matt and I take a deep dive into the DOC resolution, the monitorship and how it might work and the use of a sanctions regime by the administration as a tool to brow beat other countries. We discuss in detail on this bizarro arrangement of U.S. regulators appointing an in-house compliance executive to act as a monitor to the Chinese telecom firm. The concept is intriguing, and the job could be the professional challenge of a lifetime — except for all those pesky details, including the ones this settlement still leaves unaddressed.

For more reading: see Matt’s piece on “FAQs on ZTE’s Compliance Settlement” and “Trade War! Trade War! Man the Barricades!”, both on Radical Compliance. See Tom’s piece, “The ZTE Department of Commerce Monitor: unchartered waters” in Compliance Week.

Building and operating an effective compliance program is a tall order if you don’t have the information or the tools – and people – to make it happen. Today, Tom’s talks with Greg Radner, the chief marketing officer of RANE (Risk Assistance Network + Exchange), about his company’s innovative compliance assistance solutions in the management of risk.

  • What do Greg and the team at RANE do in the compliance arena? Greg gives us the lowdown on what RANE’s focus is: addressing compliance dysfunction by giving professionals the tools to build robust preventative compliance programs to avoid chronic reactionary compliance efforts.
  • Greg lays out three areas where RANE identified compliance dysfunction in the market today: information overload, reactive risk management, and finding the appropriate expertise for the job.
  • How are RANE’s offerings unique compared to other compliance solutions companies? Greg talks about RANE’s expert network, a global network of over 5000 risk experts and service providers that focus on six main areas: physical safety and security, cybersecurity, governance risk and compliance, due diligence and geopolitical risk, medical/psychological risk and legal/regulatory risk.
  • RANE’s mantra is simple: proactive is always better than reactive. Through a daily newsletter called RiskBook and other informative periodicals, RANE arms clients with curated information – developed by RANE or other parties – that addresses the risk situations that truly matter to them.
  • As we’ve seen with RANE’s focus areas above, the areas relevant to the compliance profession have become highly diverse. Tom asks Greg about how this situation is manifesting in RANE’s work; Greg talks about RANE’s focused webinars and about their custom-made periodical monitors, packed with targeted information.
  • Tom asks Greg about one of RANE’s key philosophies: doing more with less. Greg talks about the power of leveraging the network and how making RANE’s experts available to CCO’s can act as an extremely valuable extension of their own resources.
  • Emerging markets can feature a plethora of different kinds of risks. Tom asks Greg about RANE’s solution for making sure a CCO isn’t overloaded by information when trying to keep up with emerging risk. Greg gives some insight into RANE’s curation service and their risk desk team. These folks know the expert network back to front and can tap into exactly what a CCO needs to know.
  • With a diversity of risk and compliance situations comes a requirement for custom-tailored solutions. Greg talks about RANE’s subject matter experts and the ins and outs of matching a client with the right solutions providers.


Greg Radner on LinkedIn

RANE (Risk Assistance Network + Exchange)

RiskBook email alert registration

If you’re a compliance professional looking for a convenient and effective way to fulfill your continuing education requirements, check out our Compliance Courses and choose from 4 hour-long training packages that will keep you up to date with the latest developments in the compliance field.

In this episode, I visit with Kristy Grant-Hart, founder of Spark Compliance Consulting and author of now three books in the compliance arena. We discuss her most recent book “How to Have a Wildly Successful Career in Compliance“, which will be released on on June 19. For those of you who have seen Kristy speak you know she is high energy and very passionate about compliance and the compliance profession. She channels that energy and passion into her latest book. In this podcast we discuss:

  • Why she wrote this book?
  • Why the winding career of a compliance professional so important?
  • Why it more important for women to “Ask for it?” around salary/comp/promotions?
  • Why moving up the corporate ladder more like climbing a jungle gym?
  • Why understanding the numbers and business plan so important to a compliance professional?
  • How does one raise their profile in the compliance profession?
  • Why is collaboration so important for a compliance professional and a corporate compliance function?

Kristy is the author of two prior books on compliance, How to Be a Wildly Effective Compliance Officerand Wildly Strategic Compliance Officer Workbook. Both are must reads for compliance professionals. Her latest entry gives solid tips and point-by-point steps on how to have a successful career in the compliance field. But it is more than simply Kristy’s thoughts as she interviewed compliance professionals from literally across the globe on how they have become wildly successful.

Yet there is one thing about the book that I think makes it most useful for every compliance practitioner out there. It is that the book works on multiple levels and for multiple stakeholders. Obviously, it is targeted and works for the compliance practitioner but it also works for a CCO who is thinking about working with senior management and a Board of Directors. Further it works on a compliance program level, with many of Kristy’s tips translating into compliance program best practices.

Finally Kristy tackles head on the issue of women succeeding in the compliance profession. She writes this chapter with clear-eyed focus; not ranting or raving but giving women the tools, they need to succeed in the compliance profession and in the greater corporate world. I found this chapter so powerful I bought a copy for my 21-year-old daughter to help prepare her for your professional career after she graduates from college.

To purchase a copy of How to Have a Wildly Successful Career in Complianceon, click here.

For more information on Kristy’s books, check out her site, Compliance Kristy by clicking here.

Finally for more information on Kristy’s consulting company, Spark Compliance Consulting, click here.

With both VW and ZTE having very bad weeks, Jay Rosen and myself are back in the saddle  again to take a look at some of the top compliance stories from the past week.

  1. Having a bad week-Part 1, Volkswagen. First the head of its Audi unit is announced to be under investigation (here). Then Germany fines the company €1 bn for the emissions-testing fraud (here). Finally German prosecutors rejct the myth of “rogue engineers” in the scandal, saying the company is responsible as a whole (here). All reported in the New York Times.
  2. Having a bad week-Part 2, ZTE. After having reached a settlement between ZTE and the Department of Commerce, Congress moves to block the settlement. Michael C. Bender,  Siobhan Hughes and  Kate O’Keeffe report on the political perspective in the Wall Street Journal. From the compliance angle, many questions abound. Gerry Zack, writing in the FCPA Blog, says don’t call the persons reporting to the DOC mandated compliance officers as they are monitors. Matt Kelly offers up informative FAQs on the monitorship in Radical Compliance. Tom considers the uncharted waters of the settlement in Compliance Week(sub req’d)
  3. The court evisserates the DOJ’s argument against the AT&T purchase of Time Warner. Henry Cutter uses the merger go-ahead from Judge Leon to explore the compliance challenges in mega-mergers (and small ones too). In the WSJ Risk & Compliance Journal.
  4. Bill Steinmann says (yet again) that FCPA enforcement is not dead. It’s not that he’s tired of saying it, he just wishes the nay-sayers would unplug their ears and start to listen. On the FCPA Blog.
  5. Goldman Sachs made $600 peddling 1MDB bonds. The new Malaysian government wants some of that money back. Alexandra Stephenson and Hannah Beech report in the New York Times.
  6. CCO’s behaving badly. The Standard Chartered CCO has left the bank for inappropriate behavior. Sam Rubenfeld reports in the WSJ Risk & Compliance Journal.
  7. Looking to do business with Trump’s newest buddy North Korea? Dick Cassin says be careful, be very careful in the FCPA Blog.
  8. Anti-piling on is a two-way street, as it requires responsible actions by companies as well. Michael Griffiths reports in GIRon remarks by Justice Department FCPA Unit Chief Dan Kahn.
  9. Need some CLE or Compliance know-how? Join Tom’s Compliance Master Class, which next week Houston on June 21 & 22. Just a couple of seats left. Information and registration is available here. Learn about compliance from the guy who wrote the book on compliance.
  10. Support your local book sellers! River Oaks Bookstore, 3270 Westheimer, in Houston is now stockingThe Complete Compliance Handbook. Tom will be on hand for a book signing on Thursday, June 28 from 5:30 to 7.
  11. Tom’s new book The Complete Compliance Handbookremains a hot seller. It is available oncom. Purchase an autographed copy here. It is reviewed in the FCPA Blog, Radical Complianceand Corruption, Crime and Compliance.
  12. Serving up some Breakfast and Compliance. Join Tom in Boston on June 25 at the offices of Affiliated Monitors to learn here about show the story of compliance is the story of innovation. For more information and registration, click here.


For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at